Thursday, June 9, 2011

Chain of Custody

Chain of
custody is defined as “the order in which a piece of criminal
evidence should be handled by persons investigating a case, specif.
the unbroken trail of accountability that ensures the physical
security of samples, data, and records in a criminal investigation”
(Dictionary.com, n.d.). Royal Canadian Mounted Police (RCMP), a
branch of Canadian Government responsible for investigating digital
crime in Canada, refers to chain of custody as “the tracking of
evidence items from the scene of a crime to the item presentation
in a legal proceeding.”
(Royal Canadian Mounted Police, 2008a). In other words, chain of
custody is a process of handling (digital) evidence in order ensure
authenticity, therefore admissibility of the evidence in the court of
law. It is imperative to maintain the chain of custody, especially in
cases where there is a store reliance on the digital evidence since
“altered [evidence] and a break in the chain of custody would
undoubtedly compromise the evidential weighting in a criminal case”
(Royal Canadian Mounted Police, 2008a).As a
result, in its guide for victims of copyright and trademark
infringement (Royal Canadian Mounted Police, 2008b), RCMP instructs
evidence handle to keep it under lock and key, and to maintain chain
of custody – document all handling and movement of the exhibit,
including date and signature of the individual handling the evidence.
Furthermore, chain of custody has to be maintained (recorded and
traced) from the initial evidence acquisition to the presentation in
the court of law. The
importance to maintain the chain of custody is relevant not only to
criminal cases. For example, a decision to dismiss an employee for
violating corporate policy could end up in the court as a non
criminal case. The employee could file a “wrongful dismissal”
suit against the employer and the collected digital data could become
a critical evidence. If a defence alleges that the digital evidence
has been altered or could have been altered, it is up to the
prosecution to prove otherwise (Douglas Schweitzer, 2003).In many
cases, the traditional methods of handling digital data are not
sufficient to ensure admissibility of the digital evidence in the
court of law. For example, standard file copying technique, such as
using copy
or cp
commands, could alter access time of the original file therefore
impacting the authenticity of a potential evidence. Furthermore,
simply “pulling the plug” (as a way to preserve the data on the
non-volatile storage) approach could result in a loss of a vast
amount of volatile data such as encryption keys and “hacking tools
and malicious software that may exist solely within memory”
(Association of Chief Police Officers, 2008).